Cyber Security

AN OVERVIEW OF DATA PRIVACY LAWS IN NIGERIA.

Favour Oshiobugie
| August 28th, 2024

1.1 INTRODUCTION

The statement "data is the new oil" is true now more than ever. It highlights how important data has become in the modern economy. Similar to how oil must be refined to produce valuable products, data produce insights that can provide companies with a competitive advantage. Data also serves as a catalyst for creativity, advancing numerous technological innovations including artificial intelligence.

The importance of data in today's digital age cannot be overstated as it drives decision-making, informs business strategies, and enhances user experiences. Thus, with the increasing reliance on data for various applications, there is a need for paramount protection. 

The Nigeria Data Protection Act (2023) defines “personal Data” as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual…”

Most times before users can gain access to applications, they often need to provide personal data, such as their names, email addresses, and other identifying information. This data is essential for creating accounts and personalizing user experiences. However, once users share their data, it is crucial to ensure its protection and maintain data privacy. Without proper safeguards, this information can be vulnerable to misuse, leading to potential harm such as identity theft or unauthorized access. Therefore, implementing data protection measures is vital to create a safe environment where users’ information is handled responsibly.

Data privacy is crucial because individuals need to trust that their personal information will be treated carefully to engage online. When people feel secure that their information is handled responsibly, they are more likely to engage with services and share their data, ultimately benefiting both users and businesses. Therefore, implementing effective data protection measures is essential to ensure that the value of data is preserved while minimizing the risks of misuse and breaches. 

Across various jurisdictions, ‘privacy’ is seen as a fundamental human right, leading to the creation of data protection laws to safeguard that right. In Nigeria, Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) guarantees the fundamental right to privacy for Nigerians, including their telegraphic communications. 

 

1.2 DATA PROTECTION AND PRIVACY LAWS AND REGULATIONS IN NIGERIA

 

1.2.1 NIGERIA DATA PROTECTION ACT 2023 (“NDPA”) 

It is worthy to note that the Nigeria Data Protection Act 2023 (“NDPA”) is the principal data protection legislation in Nigeria. It was signed into law on 12th June 2023. Before the enactment of the Act, efforts were made by the Nigeria government to ensure the protection of personal data through subsidiary legislation, such as the Nigeria Data Protection Regulation 2019 (The "Data Protection Regulation"), issued by the National Information Technology Development Agency (NITDA). 

In the current digital landscape, safeguarding privacy and data has become an essential issue for nations, businesses, and individuals. In Nigeria, this concern prompted a partnership between the Nigeria Data Protection Bureau (NDPB) and the International Development Association, which led to the introduction of the Data Protection Act. This legislation provides a regulatory framework for handling personal data, outlines the rights of individuals regarding their data, and establishes guidelines for data security, cross-border data transfers, and the responsibilities of data controllers and processors. It also includes penalties for non-compliance and methods for resolving disputes. Additionally, the Act created the Nigeria Data Protection Commission, an independent authority responsible for monitoring data protection practices and ensuring adherence to the law.

The key objectives of this Act include: 

  1. Upholding the 1999 Constitution's guarantees of fundamental rights, as well as the interests of data subjects.
  2. Controlling how personal data is processed.
  3. Encouraging data processing best practices that protect individuals' privacy and the security of their personal information.
  4. Defending the rights of data subjects and offering channels for redress in the event that those rights are violated.
  5. Guaranteeing that processors and data controllers meet their duties to data subjects.
  6. Reinforcing the national digital economy's legal framework.
  7. Ensuring Nigeria's involvement in regional and international economies by using personal data in a way that is both helpful and reliable.

In terms of legislation, the NDPA 2023 is the most all-encompassing. The NDPA applies throughout the Federal Republic of Nigeria since it is a National Assembly Act. It should be noted that the NDPA 2023 does not completely repeal or negate the NDPR from 2019. Rather, it maintains the NDPR and all other decisions, rules, and regulations enacted by the National Information Technology Development Agency until they are revoked, replaced, reassembled, or otherwise changed.

1.2.2 SUBSIDIARY LEGISLATIONS THAT IMPACT DATA PROTECTION IN NIGERIA  

  1. The Constitution of the Federal Republic of Nigeria 1999 (as amended).

Nigerians have a fundamental right to privacy under the constitution. In their homes, phone calls, telegraphic communications, etc. they are guaranteed privacy under Section 37 of the Constitution. Before now, Nigeria's data privacy laws were only based on the Constitutional clause protecting citizens' rights to communicate privately. But when worries about privacy increased on a global scale, specific legislation began to surface. These regulations built on the fundamental right to privacy by prescribing more detailed guidelines meant to protect and enhance citizens' rights to privacy. All data controllers in the Nigerian are now subject to data privacy legislations enacted by the government and other various subsidiaries legislations not specifically on data privacy. 

2. The Nigeria Data Protection Regulation 2019 (“NDPR”).

The Nigeria Data Protection Regulation 2019 was developed by the National Information Technology Development Agency (NITDA). It is applicable to both Nigerian citizens living abroad and Nigerian residents. Legal protections for the handling of personal data are provided by the NDPR. According to the NDPR, Personal Data must be processed for a particular, legitimate, and legal purpose that the data subject has approved. The NDPA 2023 does not repeal this legislation.

3. The NDPR Implementation Framework 2020, issued by the National Information Technology Development Agency (“NDPR Implementation Framework”).

In order to guarantee a targeted execution of the data protection policies in Nigeria, this Framework expands upon the NDPR 2019. Due to the enactment of this framework administrators, processors, and data controllers understand the requirements necessary for compliance of data protection laws within their companies. The NDPR 2019 should not be read in isolation from the Framework; rather, they should be read together.

4. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria (the "Guidelines") were released by the NITDA on May 18, 2020. The Guidelines aim to give public officers and public institutions direction on how to handle and manage personal data in accordance with the 2019 Nigeria Data Protection Regulation. All Nigerian public institutions that handle a data subject's personal data, including as ministries, departments, agencies, etc, are subject to the Guidelines. All public institutions are required by the Guidelines to secure personal data when processing it. The NDPR and any other applicable laws and regulations in Nigeria must be followed to protect all types of personal information belonging to a Nigerian citizen, resident, or non-Nigerian person who interacts with public institutions or to which such public institutions have access to personal information for statutory or administrative purposes.

5. The Child Rights Act 2003.

A child is defined as any person under the age of eighteen (18) under the Child Rights Act 2003, which affirms the constitutional right to privacy as it pertains to children. Section 8 of the Act grants a child the right to privacy, subject to the parent or guardian's ability to exercise supervision and control over their conduct. 

6. The Cybercrimes (Prohibition, Prevention etc.) (Amendment) Act 2024. 

The Cybercrimes (Prohibition, Prevention etc.) Act mandates that financial institutions retain and secure data, makes intercepting electronic communications illegal, and establishes a legal and regulatory framework that forbids, prevents, detects, prosecutes, and punishes cybercrimes in Nigeria.

7. The Nigerian Communications Commission Act, 2003 on data protection in the telecommunications industry.

8. The Freedom of Information Act 2011.

9. National Identity Management Commission Act, 2007 (the NIMC Act)

10. National Cybersecurity Policy and Strategy, 2021.

11. The National Health Act 2014.

12. Consumer Protection Framework 2016

13. The HIV and AIDS (Anti-Discrimination) Act 2014.

14. The National Information Technology Development Agency Act 2007.

 

1.3 CONCLUSION 

The above legislations and guidelines regulate data privacy in Nigeria. However, this list is not exhaustive, and the landscape of data protection continues to evolve. As technology advances and the volume of data increases, so does the need for more comprehensive and adaptive laws. 

The Nigeria Data Protection Act is a positive achievement in Nigeria at a time of digitalization around the world. The digital economy is notable for being data-driven. Any country that wants to embrace a digital economy needs to ensure that there are efficient data protection measures in place. This will boost investor confidence and the business environment in Nigeria since businesses will have a clear set of rules to follow when gathering and when collecting and processing personal data. 

 

 

Reference 

  1. The Economist, ‘The World’s Most Valuable Resource is no Longer Oil, but Data’   Economist (6 May 2017) <https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data>accessed 26 August 2024.
  2. Ngozi Aderibigbe ‘The Nigeria Data Protection Act (2023) defines “personal Data”’ ( Lexology, 2023) >https://www.lexology.com/library/detail.aspx?g=f44586b1-0048-4d93-a461-4d8c0aada232>accessed 26 August 2024.
  3. The Nigeria Data Protection Act, 2023.
  4. the 1999 Constitution of the Federal Republic of Nigeria (as amended).
  5. The Child Right Act, 2003.
  6. The Nigeria Data Protection Regulation 2019 (“NDPR”).

Favour Oshiobugie
Author

Sign up for our Newsletter

Join our newsletter and get resources, curated content, and design inspiration delivered straight to your inbox.

Related Post